Training Courses

IMA - Intermediate Malware Analysis

Equipped with the Dynamic Malware Analysis knowledge from the Basic Malware Analysis course you're ready to adventure into more advanced malware topics by attending the Intermediate Malware Analysis course. During this five day course we'll show you how to do Static Malware Analysis using a debugger and disassembler. Since looking at assembly code in a debugger can be frustrating and almost impossible without a previous understanding of programming fundamentals and compiler operations we require that the students who attend this course have Assembly language knowledge or have completed our Assembly for Reverse Engineers course.

During the week of instruction we introduce you to the OllyDbg Debugger and IDA Pro Disassembler. Through controlled evaluation using the debugger we'll teach you how to identify exactly what the malware specimen does and how it's doing it. After you've mastered the evaluation portion of the class we'll teach you how to patch the specimen to make sections inactive or crack the program to allow full access to areas that have been hidden or encrypted by the malware developer.

Attending students should have a thorough understanding of Microsoft Windows

Experience with VMWare software although not required would be beneficial

Basic knowledge and skills required to read Intel X86 Assembly

C Programming skills is recommended

PERL or Python scripting skills would be beneficial

Knowledge of networking protocols and Wireshark filtering is recommended

Who Should Attend

Threat operation analysts seeking to have a better understanding of malware

Incident responders who need to quickly address a system security breach

Forensic investigators who need to identify malicious software

Individuals who have experimented with malware analysis and want to expand their malware analysis techniques and methodologies

Students who have mastered Behavioral Malware Analysis and want to take the next step into reversing

Outline

O/S Concepts Regarding Reverse Engineering

Windows Architecture

Kernel vs User Mode

Layered O/S

Monolithic Kernel

Core Windows System Components

API (Win32 vs Native)

Base Services

Component Services

User Interface Services

Graphical and Multimedia Services

Messaging and Collaboration

Networking

Web Services

System Calls

Sys Call Types

Process control

File manipulation

Device manipulation

Information maintenance

Communications

Sys Call Rabbit Hole

Processes and Threads Review

Memory Management

Dynamic Loading

Dynamic Linking

Windows Memory Management Architecture

PE File Format

PE Format Usage

File Types Using PE Format

DOS MZ Header

PE Header

Section Table

Sections

Windows Import Address Table

Static Analysis Process

Debuggers

Debugging Basics

How Debuggers Work

Debugging Features

Commonly Used Debuggers

OllyDbg, WinDbg, IDAPro, KL, SoftIce

User Mode Debugging

Remote Kernel Mode Debugging

Debugging API

Structured Exception Handling

Vectored Exception Handling

Single Stepping

Stepping Over

Software Breakpoints

Hardware Breakpoints

Reading and Writing Memory

Initial Breakpoint

Debugging and Security

Debugging Malware Versus Debugging Legitimate Apps

OllyDbg Overview

Main Code Section

Opcodes

Opcode Explanations

Comments Section

Info Bar

Registers Window

Dump Area

Stack Window

Support Windows (Breakpoints, CPU, Call Stack, Etc)

OllyDbg Plug-ins

Patching Executables

Applying Runtime Patches Lab

Patching Part 1 Lab

Patching Part 2 Lab

KeyGen Development

Key Generator Definition

Legitimate Key Generators Versus Underground Key Gens

Studying How Keygens Are Made

Writing Simulated Key Gens (Ethically)

Exploring Executable Modules

Static Malware Analysis

Data Obfuscation Malware Analysis

Simple XOR Encryption

Internal Obfuscation Methods

Reverse Engineering Obfuscated Malware

VM Detection Malware

IDT Methods

SGT Methods

VM Artifacts

Destructive Malware

Reversing and Dealing With Destructive Malware

Combining Behavioral and Static Malware Analysis

Anti-Debugging

Methods / Types

API-based

Exception-based

Process and thread blocks

Modified code

Hardware- and register-based: check for hardware breakpoints and CPU registers

Timing and latency: check the time taken for the execution of instructions

Thread Hiding

Self Debugging

Misc Olly-Dbg Plug-ins

OllyGraph

API Finder

Anti Anti HW Breakpoints

Fader

Find Crypt

OllyStepNSearch

OllySnake

Polymorphic Breakpoint Manager

ANRC Process Injector Tool

Reversing Malicious DLLs

Simple Rootkit Walkthrough

Student Practical Demonstration:

Using the tools, skills, and methodologies taught in Days 1 through 4 of the class students will derive the answers to questions regarding one final real-world malware specimen. Each student will have to reverse engineer the malware to discover its capabilities and persistence level as well as the threat level of the malware.

Lab Outline

Day 1

Lab 1 (Visualizing User vs Kernel Mode)

Lab 2 (Process Explorer Usage)

Lab 3 (Memory Mapping Processes)

Lab 4 (OllyDbg Basic Operations)

Lab 5 (OllyDbg Breakpoints)

Lab 6 (OllyDbg Call Stack Framing)

Lab 7 (Assembly Identification 1)

Lab 8 (Assembly Identification 2)

Lab 9 (PE Header Corruption)

Lab 10 (Debugging an Application)

Day 2

Lab 1 (OllyDbg Applying Runtime Patches)

Lab 2 (Exploring Executable Modules)

Lab 3 (Patching Part 1)

Lab 4 (Patching Part 2)

Lab 5 (Keygen Assignment Part 1)

Lab 6 (Keygen Assignment Part 2)

Lab 7 (Static Malware Analysis Malware Sample 1)

Day 3

Lab 1 (VMWare Detection Lab)

Lab 2 (Malware Specimen 2 Analysis)

Lab 3 (Malware Specimen 3 Analysis)

Lab 4 (Malware Specimen 4 Analysis)

Day 4

Lab 1 (Anti-Debugging Malware Specimen 1)

Lab 2 (Anti-Debugging Malware Specimen 2)

Lab 3 (Anti-Debugging Malware Specimen 3)

Lab 4 (Anti-Debugging Malware Specimen 4)

Day 5 - Student Practical Demonstration:

Using the tools, skills, and methodologies taught in Days 1 through 4 of the class students will derive the answers to questions regarding one final real-world malware specimen. Each student will have to reverse engineer the malware to discover its capabilities and persistence level as well as the threat level of the malware.